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Abstract 

Simulations of specifications are introduced as a unification and gener- 
alization of refinement mappings, history variables, forward simulations, 
prophecy variables, and backward simulations. A specification implements 
another specification if and only if there is a simulation from the first one 
to the second one that satisfies a certain condition. By adding stutterings, 
the formalism allows that the concrete behaviours take more (or possibly 
less) steps than the abstract ones. 

Eternity variables are introduced as a more powerful alternative for 
prophecy variables and backward simulations. This formalism is seman- 
tically complete: every simulation that preserves quiescence is a compo- 
sition of a forward simulation, an extension with eternity variables, and 
a refinement mapping. This result does not need finite invisible nonde- 
terminism and machine closure as in the Abadi-Lamport Theorem. The 
requirement of internal continuity is weakened to preservation of quies- 
cence. 

Almost all concepts are illustrated by tiny examples or counter-examples. 
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1 Introduction 

We propose eternity variables as a new formal tool to verify concurrent and 
distributed algorithms. Similar variables may have been used informally in 
the past in verifications as e.g. 0]. Eternity variables can also be applied to 
improve the abstractness and conciseness of specifications It is likely that 
they can be transferred to input-output automata, labelled transition systems, 
and perhaps even real-time and hybrid systems. 

Apart from proposing eternity variables and proving their soundness and 
completeness, this paper may serve as an introduction to the various forms of 
simulation for not necessarily terminating programs. We illustrate almost all 
concepts by tiny toy examples to sharpen the intuition. 
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1.1 Auxiliary Variables 

Eternity variables form a new kind of auxiliary variables, variables that are 
added to a program to argue about it. Auxiliary variables occur when, in order 
to analyse a program, say one extends it with auxiliary variables and actions 
upon them to a bigger program, say L, proves some property of i, and infers 
something for the program, K, without them. 

Since the seventies, auxiliary variables have been used to prove the correct- 
ness of concurrent systems, e.g. |^. These auxiliary variables served to 
record the history of the system's behaviour. They are therefore sometimes 
called history variables. In e.g. [53], it is proved that they are sufficient to prove 
that a terminating concurrent system satisfies a specification in terms of pre 
and postconditions. Such a result is called semantic completeness. 

In this paper, we want to allow nonterminating programs and therefore use 
"abstract" programs as specifications. The correctness issue then becomes the 
question of the implementation relation between programs. Over the years, the 
idea of implementation has been formalized in many different settings, under 
names like refinement and simulation. 

In or before 1986, it was proved that the combination of forward and back- 
ward simulations was sufficient to prove "data refinement" for terminating pro- 
grams |H]- In 1988, Abadi and Lamport P proposed prophecy variables to guess 
future behaviour of nonterminating programs. They proved that the combina- 
tion of history variables, prophecy variables and refinement mappings is -in a 
certain sense- sufficient to prove arbitrary implementation relations between 
nonterminating programs. Although refinement mappings and extension with 
history variables can be regarded as forward simulations, and prophecy variables 
correspond to backward simulations, the two proofs of semantic completeness 
are very different and the two papers |P |H] do not refer to each other. They 
even have disjoint bibliographies. 

The soundness of prophecy variables relies on Konig's Lemma; therefore, 
application of them requires that the invisible (i.e. internal) nondeterminism of 
the system is finite. One may argue that imposing finiteness should be accept- 
able since computer storage is always finite. Consider however the case that the 
prophecy would be the guess of a sequence number for the transactions in a re- 
active system, say an operating system or a database. Without a bound on the 
numbers, the choice would be infinite, but it is inacceptable to impose a bound 
on the number of transactions in the specification of such a system. Indeed, 
one would rather specify that the system can proceed indefinitely. In Sect. 13.41 
we give an example (H) to show the unsoundness of prophecy variables with a 
relation that allows infinite choices. 

We therefore develop an alternative for prophecy variables that does not 
rely on Konig's Lemma. The eternity variable we propose as an alternative, 
is less flexible and it is chosen only once, nondeterministically and before the 
computation starts. Its value must of course be related to the behaviour as it 
develops. This will be dealt with in the so-called behaviour restriction. The 
proof of soundness for extension with eternity variables with a valid behaviour 
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restriction is much easier than for prophecy variables. 

The new combination of extension with eternity variables and forward sim- 
ulations is also proved to be semantically complete. This proof is somewhat 
easier than the corresponding proof for prophecy variables. We actually have 
two versions of this result, which differ in the degree of ignoring stutterings. 

1.2 Additional Technical Assumptions 

Our setting is the theory of Abadi and Lamport 1 , where programs, systems, 
and specifications are all regarded as specifications. A specification is a state 
machine with a supplementary property. Behaviours of a specification are infi- 
nite sequences of states. Behaviours become visible by means of an observation 
function. A specification implements another one when all visible behaviours of 
the first one can occur as visible behaviours of the second one. Although they 
can change roles, let us call the implementing specification the concrete one and 
the implemented specification the abstract one. 

Under some technical assumptions, Abadi and Lamport ,1 proved that, 
when a specification K implements a specification L, there exists an extension 
M of with history variables and prophecy variables together with a refinement 
mapping from M to L. The assumptions needed are that K should be "machine 
closed", and that L should be "internally continuous" and of "finite invisible 
nondeterminism" . 

In our alternative with eternity variables instead of prophecy variables, "in- 
ternal continuity" is weakened to "preservation of quiescence" while the other 
two assumptions are eliminated. Preservation of quiescence means that, when- 
ever the concrete specification can repeat the current state indefinitely, the 
abstract specification is allowed to do so as well. In other words, when the 
implementation stops, the specification allows this. Preservation of quiescence 
is quite common. Indeed, refinement mappings and extensions with history, 
prophecy or eternity variables all preserve quiescence. 

1.3 Stuttering Behaviour 

Since the concrete specification may have to perform computation steps that 
are not needed for the abstract specification, we follow 1 , 19 by allowing all 
specifications to stutter: a behaviour remains a behaviour when a state in it is 
duplicated. 

In 0, it is also allowed that the concrete specification is faster than the 
abstract one: a concrete behaviour may have to be slowed down by adding stut- 
terings in order to match some abstract behaviour. This may seem questionable 
since one may argue that, when the concrete specification needs fewer steps 
than the abstract one, the abstract one is not abstract enough. Yet, experience 
shows that there need not be anything wrong with a specification when the 
implementation can do with fewer steps '17 . 

We therefore developed two theories: a strict theory and a stuttering theory 
[T^ . The stuttering theory corresponds to the setting of , where the concrete 
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specification can do both more and fewer steps tlian the abstract specification. 
In the strict theory, the concrete specification can do more but not fewer steps 
than the abstract specification. This results in a hierarchy of implementations 
that is finer than for the stuttering theory. In this paper we only present the 
strict theory, since it is simpler and more elegant than the stuttering theory of 

m 

1.4 Simulations of Specifications 

A refinement mapping is a function between the states that, roughly speaking, 
preserves the initial states, the next-state relation and the supplementary prop- 
erty. Adding history or prophecy variables to the state gives rise to forward and 
backward simulations. 

We unify these three concepts by introducing simulations. Actually, the term 
"simulation" has been introduced by Milner |^ in 1971. He used it for a kind of 
relation, which was later called downward or forward simulation to distinguish 
it from so-called upward or backward simulation |H1 121|. It seems natural and 
justified to reintroduce the term "simulation" for the common generalization. 

Our simulations are certain binary relations. For the sake of simplicity, 
we treat binary relations as sets of pairs, with some notational conventions. 
Since we use X ^ Y for functions from X to Y, and P => Q for implication 
between predicates P and Q, we write F : K -!> L to denote that relation F is 
a simulation of specifications from K to L. We hope the reader is not confused 
by the totally unrelated arrows -i> used in I^. 

The notation F : K -t> L is inspired by category theory. Indeed, specifi- 
cations with their simulations form the objects and morphisms of a category. 
Categories were introduced in mathematics in jjj. Since every introduction to 
category theory goes far beyond our needs, we refrain from further references. 

Our first main result is a completeness theorem: a specification implements 
another one if and only if there is a certain simulation between them. This 
shows that our concept of simulation is general enough to capture the relevant 
phenomena. 

1.5 Eternity Variables and Completeness 

In the field of program verification, simulations serve to prove correctness, i.e., 
the existence of an implementation relation between a program and a specifica- 
tion. The idea of refinement calculus is to construct simulations by composing 
them. Refinement mappings and forward simulations are the main candidates, 
but they are not enough. In general, one also needs simulations with kind of 
"prescient behaviour" as exhibited by backward simulations. It is at this point 
that our eternity variables come in. 

An eternity variable is a kind of logical variable with a value constrained 
by the current execution. Technically, it is an auxiliary variable, which may 
be initialized nondeterministically and is never modified thereafter. Its value is 
constrained by a relation with the state. A behaviour that would violate such a 
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constraint, is discarded. The verifier of a program has to prove that the totahty 
of constraints is not contradictory. For example, the eternity variable can be an 
infinite array while the conditions constrain different elements of it. 

The simulation from the original specification to the one obtained by ex- 
tending it with the eternity variable is called the eternity extension. We thus 
have four basic kinds of simulations: refinement mappings, forward simulations, 
backward simulations, and eternity extensions. Every composition of simula- 
tions is a simulation. If relation G contains a simulation K -!> L, then G itself 
is a simulation K -t> L. Therefore, in order to prove that some relation G is 
a simulation K ~t> L, it suffices to find basic simulations such that the compo- 
sition of them is contained in G. The completeness result is that, conversely, 
every simulation that preserves quiescence contains a composition of a forward 
simulation, an eternity extension, and a refinement mapping. 

More specifically, every specification K has a so-called unfolding K"^ 
with a forward simulation K -> A'^. Given a simulation F : K ^ L that 
preserves quiescence, we construct an intermediate specification W as an ex- 
tension of K"^ with an eternity variable, together with a refinement mapping 
W -i> L, such that the composition of the simulations K -t> K'^ and K'^ -f> W 
and W -> L is a. subset of relation F. 

When one wants to use eternity variables to prove some simulation relation, 
application of the unfolding JsT* is overkill. Instead, one introduces approxi- 
mating history variables to collect the relevant parts of the history. In Sect. 14.31 
we briefiy discuss the methodological issues involved. A complete, but still tiny 
example is treated in Sect. El We refer to ^21 for an actual application. 

I. 6 Overview 

In Sect. 11.71 we briefiy discuss related work. Sect. 11.81 contains technical mate- 
rial on relations and lists. We treat stuttering and temporal operators in Sect. 

II. 91 In Sect. 12 we introduce specifications and simulations, and prove the char- 
acterizing theorem for them. In Sect. wc present the theory of forward and 
backward simulations in our setting and introduce quiescence and preservation 
of quiescence. Eternity variables are introduced in Sect.01 where we also prove 
soundness and semantic completeness for eternity variables in the strict theory. 
Sect. |S1 contains a tiny application of the method: we consider a relation be- 
tween the state spaces of two specifications and prove that it is a simulation 
by factoring it over a forward simulation, an eternity extension, an invariant 
restriction and two refinement mappings. Conclusions are drawn in Sect.lHI 

A preliminary version JT] of this paper was presented at MPC 2002. The 
paper |11) is flawed by an incorrect completeness theorem; we only saw the 
need of preservation of quiescence some weeks before the conference when the 
proceedings were already in print. 

New concepts in this paper are simulation, preservation of quiescence, and 
eternity extension. New results are the completeness theorem of simulation 
with respect to implementation in Sect. 12.41 the relationship between internal 
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continuity and preservation of quiescence in Sect. 13.51 and the soundness and 
completeness of eternity extensions in Sect. 0] 

1.7 Related Work 

Our primary inspiration was of Abadi and Lamport. Our formalism is a 
semantical version of Lamport's TLA jTHj. Lynch and Vaandrager 21 and Jon- 
sson ^3] present forward and backward simulations and the associated results 
on semantic completeness in the closely related settings of untimed automata 
and fair labelled transition systems. Our investigation was triggered by the 
paper |H] of Cohen and Lamport on Lipton's Theorem j2Qj about refining atom- 
icity. While working on the serializable database interface problem of jl8l I2()| . 
wc felt the need for variables with "prescient" behaviour without finiteness as- 
sumptions. This led us to the invention of eternity variables, which we applied 
successfully in the mean time to the serializable database interface in ^^l- Jon- 
sson, Pnueli, and Rump 15 present another way of proving refinement that 
avoids the finiteness assumptions of backward simulations. They use a very 
flexible concept of refinement based on so-called pomsets, but have no claim of 
semantic completeness. 

1.8 Relations and Lists 

We treat a binary relation as a set of pairs. So, a binary relation between sets 
X and y is a subset of the Cartesian product X x Y. We use the functions fst 
and snd given by {st{x,y) = x and snd{x,y) = y. A binary relation on AT is a 
subset of AT X AT. The identity relation Ix on X consists of all pairs {x, x) with 
X ^ X. Recall that a binary relation ^ on AT is called reflexive iff Ix Q A. The 
converse cv(A) of a binary relation A is defined by cv{A) — {{x, y) \ {y, x) G A}. 

For binary relations A and B, the composition {A; B) is defined to consist 
of all pairs {x,z) such that there exists y with {x^y) G A and {y,z) £ B. A 
function f : X ^ Y is identified with its graph {{x, f{x)) \ x E X} which is a 
binary relation between X and Y. The composition of functions f : X ^ Y and 
g : Y ^ Z is a function g o f : X ^ Z , which equals the relational composition 

We use lists to represent consecutive values during computations. If A" is a 
set, we write A'+ for the set of the nonempty finite lists and X'^ for the set of 
infinite lists over X. We write l{xs) for the length of list xs. The elements of 
xs are xsi for < i < £(xs). If xs is a list of length t{xs) > n, we define (xs | n) 
to be its prefix of length n. We write xs □ xt to denote that list xs is a prefix 
of xt, possibly equal to xt. Wc define last : X^ ^ AT to be the function that 
returns the last element of a nonempty finite list. 

A function f : X ^ Y induces a function : X'^ Y'^ . For a binary 
relation F C A' x F, we have an induced binary relation F'^ C X'^ x Y'^ given 

by 



(xs,7s)eF- = (Vz :: (xs„7sj gF) 
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1.9 Stuttering and Properties 

Let P be a set of infinite fists over X, i.e., a subset of X". We write -iP 
to denote the complement (negation) of P. For an infinite fist xs, we write 
Suf{xs) to denote the set of its infinite sufiixes. The sets DP (always P), and 
OP (sometime P) are defined by 

xs e DP = Suf{xs) C P , 
OP = -nO^P . 

So, xs G DP means that all suffixes of xs belong to P, and xs € OP means that 
xs has some suffix that belongs to P. 

For J7 C X and C X X X, the subsets | C/ ] and | A ] of X'^ are defined by 

xs e I J7 ] = xso eU , 

xse|^] = {xso,xsi)eA. 

So, |J7] consists of the infinite lists that start in U, and |^] consists of the 
infinite lists that start with an A-transition. 

We define a list xs to be an unstuttering of a list js, notation xs < ys, iff 
xs is obtained from ys by replacing some finite nonempty subsequences ss of 
consecutive equal elements of ys with their first elements ssq. The number of 
such subsequences that are replaced may be infinite. For example, if, for a finite 
list vs, we write vs" to denote the list obtained by concatenating infinitely many 
copies of vs, the list [abbccbY is an unstuttering of [aaabbbccbY . 

A finite list xs is called stutterfree iff every pair of consecutive elements differ. 
An infinite list xs is called stutterfree iff it stutters only after reaching a final 
state, i.e., iff xsi — xs^+i implies xsi+i — xSi+2 for all i. For every infinite list 
xs, there is a unique stutterfree infinite list xt with xt ^ xs. For example, if 
xs — {aaabbbccb)'^ then xt = {abcb)'^ . 

A subset P of X'^ is called a property over X iff xs < ys implies that 
xs G P = ys E P. This definition is equivalent to the one of [l]. If P is a 
property, then -iP, DP, and OP are properties. If is a subset of X then |(7] 
is a property. If A is a reflexive relation on X then □ | A ] is a property, and it 
consists of the infinite lists with all transitions belonging to A. 

2 Specifications and Simulations 

In this section we introduce the central concepts of the theory. Following , we 
define specifications in Sect. 12.11 Refinement mappings are introduced in Sect. 
12.21 In 12.31 we define simulations. In Sect. 12.41 we define visible specifications 
and their implementation relations, and we prove that simulations characterize 
the implementations between visible specifications. 

2.1 Specifications 

A specification is defined to be a tuple K = {X, Y, N, P) where X is a set, F is 
a subset oi X, N a. reflexive binary relation on X, and P is a property over X. 
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The set X is called the state space, its elements are called states, the elements 
of Y are called initial states. Relation N is called the next-state relation. The 
set P is called the supplementary property. 

We define an initial execution of if to be a nonempty list xs over X with 
xso G Y and such that every pair of consecutive elements belongs to N. We 
define a behaviour of K to be an infinite initial execution xs of K with xs G P. 
We write Beh{K) to denote the set of behaviours of K. 

The triple {X, Y, N) can be regarded as a state machine P . The supple- 
mentary property P is often used for fairness conditions but can also be applied 
for other purposes. The initial executions of K are determined by the state 
machine. The supplementary property is a restriction on the behaviours. 

It is easy to see that Beh{K) = |r ] n DlTV] n P. It follows that Beh{K) 
is a property. The requirement that relation N is reflexive is imposed to allow 
stuttering: if xs is a behaviour of K, any list ys obtained from xs by repeating 
elements of xs or by removing subsequent duplicates is also a behaviour of K. In 
particular, for every behaviour xs of K, there is a unique stutterfree behaviour 
xt of K with xt :< xs. 

The components of specification K ~ (X, Y, N, P) are denoted states{K) = 
X, start{K) = Y, step{K) = N and prop{K) = P. 

Specification K is defined to be machine closed 1 iff every finite initial 
execution of K can be extended to a behaviour of K. We would encourage 
specifiers to write specifications that are not machine closed whenever that 
improves clarity, e.g., see [T^ Sect. 3.2.3. If the specification is not machine 
closed, it is important to distinguish between states reachable from initial states 
and states that occur in behaviours. 

We therefore define a state of K to be reachable iff it occurs in an initial 
execution of K, and to be occurring iff it occurs in a behaviour of K . A subset 
of states{K) is called a forward invariant iff it contains all reachable states. It 
is called an invariant iff it contains all occurring states. Recall that a subset is 
called a strong invariant (or inductive j22| 'l iff it contains all initial states and 
is preserved in every step, i.e. J is a strong invariant iff F C J and y G J for 
every pair {x, y) G N with x G J. It is easy to see that every strong invariant is 
a forward invariant and that every forward invariant is an invariant. 

Example A. Reachable states need not be occurring, an invariant need not be a 
forward invariant, and a forward invariant need not be a strong invariant. This 
is shown by the following program 

var k : Int :— ; 
do k = choose k > ; 

1 kT^O k:=k-2; 
od ; 

prop: infinitely often k = . 

Note that this program only stands for a specification. It is not supposed to be 
directly executable. 

Formally, the specification is {X, Y, N, P) where X is the set of the integers 
and Y = {0}. A pair (k, k') belongs to relation N <Z X x X \i and only if 
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(fc = A fc' > 0) V (fc 7^ A fc' = fc - 2) V k' = k . 

The third disjunct serves to ahow stuttering. Property P consists of the infinite 
sequences with infinitely many zeroes, i.e. P = DOly ]. It follows that the only 
occurring states are the even natural numbers. So, the even natural numbers 
form an invariant JO. The set of the natural numbers is also an invariant. The 
set of reachable states is Jl = {A: | A: > V k mod 2 = 1}. Therefore JO is not 
a forward invariant. The set Jl U {—2} is a forward invariant but not a strong 
invariant, since there is a step from —2 to —4. □ 

2.2 Refinement Mappings 

Let K and L be specifications. A function / : states{K) states{L) is called a 
refinement mapping ^ from if to L iff f{x) G stait{L) for every x G start(K), 
and {f{x),f{x')) G step{L) for every pair {x,x') e step{K), and /"(xs) G 
prop{L) for every xs G Beh{K). Refinement mappings form the simplest way 
to compare different specifications. 

Example B. For m > 1, let K{m) be the specification that corresponds to the 
program 

var j : Nat :— ; 

do true j (j + 1) mod m od ; 

prop: j changes infinitely often. 

We thus have states{K{m)) = N, stait{K{m)) ^ {0}, prop(Ji:(m)) = DOl^], 
and 

UJ') e step{K{mj) = j' G {j, {j + 1) mod m} . 

In order to give an example of a refinement mapping, we regard K{20) as an 
implementation of K{13). Let / : N ^ N be the function given by f{j) = 
min(j, 12). It is easy to verify that / is a refinement mapping from K(20) 
to K{13). Note that the abstract behaviour (in K{13)) stutters whenever the 
concrete behaviour (in K{20)) is proceeding from 12 to 19. This example shows 
that it is useful that the next-state relation is always reflexive. □ 

2.3 Simulations 

Recall from 11.81 that a relation F between states{K) and states{L) induces a 
relation F'^ between the sets of infinite lists {states{K))'^ and (states(L))'^. 

We define relation to be a simulation K -t> L iff, for every behaviour 
xs G Beh{K), there exists a behaviour ys G Beh{L) with {xs,ys) G F'^. The 
following two examples show that refinement mappings are not enough and that 
simulations are useful. 

Example C. We use the specifications K{m) and K{2 ■ to) according to example 
B. Let the binary relation F be given by 
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(j, k) £ F = j = k mod m . 

Then F is a simulation K{m) — 1> K{2 ■ m), but there is no refinement mapping 
from K{m) to K(2 -171). □ 

Example D. We consider two specifications K and L, both with state space 
X = {0, 1, 2, 3, 4}, initial set Y = {4}, and property O | {0, 1} ]. The next-state 
relations are 

stepiK) = lxU{(4,2),(2,l),(2,0)} , 
step{L) = lxU{(4,3),(4,2),(3,l),(2,0)} . 



K 1 L 3 1 

Both specifications have the final outcomes and 1, but K postpones the choice, 
while L chooses immediately. We regard only the final states and 1 as visible. 
The stutterfree behaviours of K are (4, 2, 0'^) and (4, 2, 1'^), while those of L are 
(4,2,0") and (4,3,1'^). Therefore, K and L implement each other. One can 
easily verify that relation F = Ix U {(2, 3)} is a simulation F : K ~i> L. There 
is no refinement mapping / from K to L with /(O) = and /(I) = 1, since the 
concrete specification K makes the choice between the outcomes later than the 
abstract specification L. At concrete state 2, simulation F "needs prescience" 
to choose between the abstract states 2 and 3. □ 



In general, it should be noted that the mere existence of a simulation F : 
K -i> L does not imply much. If F : K -t> L and G is a relation with F C G, 
then G . K L. Therefore, the smaller the simulation, the more information 
it carries. It is easy to verify that simulations can be composed: if _F is a 
simulation K -> L and G is a simulation L -t> M, the composed relation {F; G) 
is a simulation K -> M. It is also easy to verify that a refinement mapping 
/ : states{K) states{L), when regarded as a relation as in Sect. 11.81 is a 
simulation K -f> L. 

We often encounter the following situation. A specification L is regarded 
as an extension of specification K with a variable of a type M iff states{L) 
is (a subset of) the Cartesian product states{K) x AI and the function fst : 
states{L) — » states{K) is a refinement mapping. The second component of the 
states of L is then regarded as the variable added. The extension is called a 
refinement extension iff the converse cv(fst) is a simulation K -t> L. 



2.4 Visibility and Completeness of Simulation 

We are usually not interested in all details of the states, but only in certain 
aspects of them. This means that there is a function from states{K) to some 
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other set that we regard as an observation function. A visible specification 
is therefore defined to be a pair {K, /) where if is a specification and / is 
some function defined on states{K). Deviating from pQ, we define the set of 
observations by 

Ohs{K, /) = {/"(xs) I xs G Beh{K)} . 

Note that Obs{K, /) need not be a property. If xs is an observation and ys ^ xs, 
then ys need not be an observation. 

Example E. Assume we are observing A'(13) of example B with the test j > 0. 
So, we use the observation function f{j) = {j > 0). Then the observations are 
the boolean lists with infinitely many values true and infinitely many values 
false, in which every true stutters at least 12 times. □ 

Let {K,f) and {L,g) be visible specifications with the functions / and g 
mapping to the same set. Then (AT, /) is said to implement [L, g) iff Obs{K, /) 
is contained in Obs{L, g), i.e., iff for every xs G Beh{K) there exists ys G Beh{L) 
with /'^(xs) = ^"(ys). This concept of implementation is stronger than that 
of : we do not allow that an observation of (AT, /) can only be mimicked by 
{L,g) after inserting additional stutterings. 

Our concept of simulation is motivated by the following completeness theo- 
rem, the proof of which is rather straightforward. 

Theorem 0. Consider visible specifications {K, /) and [L, g) where / and g are 
functions to the same set. We have that {K, f) implements (L, g) if and only if 
there is a simulation F : K -t> L with {F;g) C /. 

Proof. The proof is by mutual implication. 

First, assume the existence of a simulation F : K -t> L with (A; g) C /. Let 
zs e Obs{K, J). We have to prove that zs e Obs{L, g). By the definition of Obs, 
there exists xs G Beh{K) with zs = /'^(xs). Since A is a simulation, there exists 
ys G Beh{L) with (xs, ys) G A'^. For every number n, we have (xs„,7S„) G A 
and, hence, (xs„,g(7S„)) G {F;g) C / and, hence, g{ys„) = /(xs„) = zs„. This 
implies that zs — g'^{ys) G Obs{L,g). 

Next, assume that {K,f) implements {L,g). We define relation A between 
states{K) and states{L) hy F — {{x,y) \ f{x) — g{y)}- For every pair {x,z) G 
(A; g) there exists y with {x, y) G -A and (y, z) G g; we then have f{x) = 
g{y) — z. This proves (A; g) C /. It remains to prove that _A is a simulation 
K ^L. Let xs G Beh{K). Since Obs{K,f) C Obs{L,g), there is ys G Beh(L) 
with f^ixs) — g'^{ys). We thus have (xs,ys) G F". This proves that A is a 
simulation AT -i> A. □ 

Example F. Consider the visible specifications (AT, /) and {L, g) with K = K{m) 
and L = K{2 ■ m) as in example C, with /, g : N — ^ N given by f{j) = j and 
g{j) — j mod m. Then relation F as constructed in the above proof equals 
relation A of example C. □ 
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3 Special Simulations 

In this section we introduce forward and backward simulations as special kinds 
of simulations. Forward simulations are introduced in 13. II They correspond to 
refinement mappings and to the well-known addition of history variables. In 
13.21 we show that invariants give rise to simulations. In Sect. rOl we introduce 
the unfolding |2] of a specification, which plays a key role in several proofs 
of semantic completeness. Backward simulations are introduced in Sect. 13.41 
Quiescence and preservation of quiescence are introduced in Sect. 13.51 

3.1 Flatness and Forward Simulations 

We start with a technical definition concerning the supplementary property of 
the related specifications. A relation F between states{K) and states{L) is 
defined to be flat from K to L iff every infinite initial execution ys of L with 
(xSjjs) S F'^ for some xs E Bch{K) satisfies ys e prop{L). 

It turns out that all our basic kinds of simulations arc flat. Indeed, refinement 
mappings are flat and we need flatness as a defining condition for both forward 
and backward simulations. Flatness always serves as the finishing touch in the 
construction of the abstract behaviour. Yet, flatness is not a nice property: in 
example G below, we show that the composition of two flat simulations need 
not be flat. 

The easiest way to prove that one specification simulates (the behaviour 
of) another is by starting at the beginning and constructing the corresponding 
behaviour in the other specification inductively. This requires a condition em- 
bodied in so-called forward or downward simulations [HI 1211 , which go back at 
least to 23 ■ They are defined as follows. 

A relation F between states{K) and states{L) is defined to be a forward 
simulation from specification K to specification L iff 

(FO) For every x G start{K), there is y G start{L) with {x, y) G F. 

(Fl) For every pair {x,y) € F and every x' with {x,x') G step{K), there is y' 

with {y,y') G step{L) and {x\y') G F. 

(F2) Relation F is flat from K to L. 

Examples. It is easy to verify that relation F of example C is a forward sim- 
ulation. Every refinement mapping, when regarded as a relation, is a forward 
simulation. □ 

The definition of forward simulations is justified by the following well-known 
result: 

Lemma. Every forward simulation F from if to L is a simulation K -> L. 

Proof. Let xs G Bch{K) be given. Then xsq G start{K), so by (FO), there is 
jSq G stait{L) with (xso,7Sg) G F. Since (xs„,xs„+i) G step{K) for all n, we 
can use (Fl) inductively to construct an infinite initial execution ys of L that 
satisfies (xs„,7S„) G F for all n. Since relation F is flat, we conclude that ys is 
a behaviour of L with {xs^ys) G F'^ . Therefore _F is a simulation K L. U 
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Example G. Let X ^ [0 . . N] for some number N >2. Let K be the specifica- 
tion with the program 

var k : X := ; 

do true — > choose k G X od ; 

prop: k changes infinitely often and is sometimes 1. 

So, we have states{K) = X, start{K) = {0}, and step{K) = X'^. The property 
prop{K) is the intersection of and O |k = 1]. 

Let L be the specification with 

var j : X := , 

b : Boolean := false ; 
do true choose j £ X ; 

[ j = 1 — > b := true ; choose j & X ; 
od ; 

prop: b is sometimes true. 

In such programs, we regard the alternatives in de do loop as atomic. So we 
have 

{{j,b),{j',b'))estep{L) = (6' = 6) V (i = l A 6') . 

The property is prop{L) = O | b ] . 

It is easy to show that relation F = {{k,{j,b)) \k = j} is a simulation 
K -c> L. Indeed, let xs be a behaviour of K. Then there is an index r with 
xSr = 1. Let ys be the sequence in states{L) given by jSj = {xSi,{r < i)) 
for all i. Since the boolean component b of ys becomes true in a step with 
precondition j = 1, this is a behaviour of L, which satisfies {xs,ys) e F"^ . 
Simulation F : K L \s not flat, since the sequence zs with zSi = {xSi, false) 
for all i is not a behaviour of L but is an infinite initial execution of L with 
(xs,zs) e F'^. 

In order to show that _F is a composition of two forward simulations, we 
make specification L more deterministic. Let L' be the specification obtained 
from L by restricting the step relation to 

do j 7^ 1 — > choose j & X ; 

[ j = 1 b := true ; choose j € X ; 

od . 

Since stuttering must be allowed, a pair ((j, 6), (j', b')) belongs to step(L') if and 
only if 

b' = (b V J = 1) V (j j' A b = b') . 

The above relation F is a forward simulation K -i> L' . Indeed, condition (FO) 
is obvious. Condition (Fl) holds since every step of K can be mimicked by 
L'. Flatness is shown as follows. Let xs be a behaviour of K. The property of 
K implies that there is an index r with xSr = ^ ^ xSr+i- If ys is an infinite 
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initial execution of L' with {xs,ys) G F'^, then ys is a behaviour of L' since 
js^+i = (xsr+i, true). 

It is easy to verify that the identity function id is a refinement mapping 
L' -> L and hence a forward simulation. The simulation F : K -> L is clearly 
the composition F = {F; id). So, here we have indeed a nonflat composition of 
two forward simulations. □ 

3.2 Invariant Restriction 

Invariants are often used to restrict the state space implicitly. When the state 
space is made explicit, restriction to an invariant subspace turns out to be a 
simulation. 

Slightly more general, let D he a subset of states{K) for a specification K. 
Then we can define the Z?- restricted specification Ku by states{K d) = D and 
start^Ku) = D n start{K) and step{KD) ^ n step{K) and prop{KD) = 
D'^ riprop{K). Indeed, it is easy to verify that step{K£i) is reflexive and that 
prop{K]j) is a property. The following result characterizes invariants via simu- 
lations. 

Lemma 0. (a) The identity relation Id is a simulation K -> Kn if and only 
if D is an invariant. 

(b) l£) is a forward simulation K H> if and only if Z? is a strong invariant. 
We skip the proof, since it is fairly straightforward and not interesting. 

3.3 The Unfolding 

The unfolding if* of a specification K plays a key role in the proofs of semantic 
completeness in ^ |^ as well as in our semantic completeness result below. 

It is defined as follows: states{K'^) consists of the stutterfree finite ini- 
tial executions of K. The initial set start{K'^) consists of the elements xs G 
states{K'^) with £{xs) — 1. The next-state relation step{K'^) and the property 
prop{K'^) C [states{K'^))'^ are defined by 

(xs,xt) e step{K*) = xsHxt A i{xt) < i{xs) + 1 , 
vss e prop{K'^) = last'^{vss) G prop{K) . 

So, the nonstuttcring steps of if* are the pairs (xs, xt) with xs □ xt and 
i{xt) = i{xs) + 1. 

It is easy to prove that if* is a specification. The function last : states{K'^) — 
states{K) is a refinement mapping. Moreover, if (xs,xt) G step(if*) and 
xs ^ xt, then last{xs) ^ last{xt) since xt is stutterfree. We are more inter- 
ested, however, in the other direction. The following result of T is not difficult 
to prove. 

Lemma 1. Relation cvl — cv{last) is a forward simulation if -> if*. □ 
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In Sect. 14.21 below, we shall need the following result. 

Lemma 2. Let xs = last"{vss) for a stutterfree behavfour vss of JT*. Then xs 
is a behaviour of K with vssi Q xs for all indices i. 

Proof. Since vss is a behaviour of K'^ , it is easy to verify that xs is a behaviour 
of K. We now distinguish two cases. First, assume that vsSi ^ vsSj+i for all i. 
Then £{vssi) = i+1 for all i. It follows that vsSi = {xs \ for all i. Otherwise, 
let r be minimal with vsSr = vssv+i. Since vss is stutterfree, vsSi = vsSr for 
all i > r. This implies -^(vssi) = min(i,r) + 1 for all indices i. It follows that 
vsSi = (xs I i + 1) for all i with < i < r and vsSi = (xs | r + 1) for all i with 
r < i < oo. In either case, we have vsSi C xs for all indices i. □ 

3.4 Backward Simulations 

It is also possible to prove that one specification simulates (the behaviour of) 
another by starting arbitrarily far in the future and constructing a corresponding 
initial execution by working backwards. An infinite behaviour is then obtained 
by a variation of Konig's Lemma. These so-called backward simulations |21j 
form a relational version of the prophecy variables of HI and are related to the 
upward simulations of We give a variation of Jonnson's version |14j . 

Relation F between states{K) and states{L) is defined to be a backward 
simulation from i^T to i iff 

(BO) Every pair {x,y) G F with x G start{K) satisfies y G start{L). 

(Bl) For every pair {x',y') G F and every x with {x,x') G step{K), there is y 

with {x,y) G F and {y,y') G step{L). 

(B2) For every behaviour xs of K there are infinitely many indices n for which 
the set {y | {xSn,y) G F} is nonempty and finite. 
(B3) Relation F is flat from K to L. 

The simulation F presented in the example D in 12. 31 is a very simple example 
of a backward simulation. The verification of this is straightforward, though 
somewhat cumbersome. 

An auxiliary variable added to the state space via a backward simulation is 
called a prophecy variable jlj since it seems to show "prescient" behaviour. In 
such a case, the relation is called a prophecy relation in [23 . The term backward 
simulations is justified by the following soundness result, the proof of which is 
a direct adaptation of the proof in IT . 

Lemma. Every backward simulation F from K to L is a simulation K -f> L. 
□ 

The empty relation F = $ always satisfies (BO), (Bl), and (B3), but if K 
has any behaviour, the empty relation is not a simulation from K to L. This 
justifies the nonemptyness condition in (B2). The following example shows that 
some finiteness in (B2) is also needed. 

Example H: the unsound doomsday prophet. Let L be the following extension 
of specification K{13) of example B with a natural variable k. 
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var j : JVat := , k : Nat {arbitrary} ; 

do k > j (j + 1) mod 13 ; k := k - 1 od ; 

prop: j changes infinitely often. 

Since k cannot decrease infinitely often, j cannot change infinitely often. There- 
fore, specification L has no behaviours. Since K{13) has behaviours, there can- 
not exist any simulation if (13) -o L. Function fst : states{L) states{K {13)) 
is a refinement mapping. Its converse, F — cv(fst) cannot be a simulation 
-K'(13) -i> L, but it is easily seen to satisfy (BO), (Bl), and (B3). Indeed, it does 
not satisfy (B2) since {y \ {x,y) G F} is infinite for every x G states{K (13)) . 

The initial value of k can be regarded as a prophecy of doomsday, whence 
the name of the example. Note that K{13) is deterministic and that the only 
nondeterminism in L is the infinite choice in the initialization. Also, note that 
we can restore condition (B2) by introducing a bound, say k < 1000, for the 
initial choice of k, but then condition (Bl) is invalidated. □ 

3.5 Preservation of Quiescence 

The completeness result of the next section needs the concept of "preservation 
of quiescence" . Roughly speaking, a behaviour is quiescent at a given state if it 
remains a behaviour when the behaviour after the state is replaced by an infinite 
repetition of the state. Preservation of quiescence means that the abstract 
behaviour can be quiescent whenever the concrete behaviour is quiescent. It is 
formalized as follows. 

Given a natural number n and an infinite list xs, we define the infinite list 
En{xs) as the concatenation of {xs\n) with the infinite repetition of the state 
xSn- We thus have {En{xs))k = xSm where m is the minimum of n and k. A 
number n is a quiescent index of xs for specification K iff En {xs) is a behaviour 
of K. The set of quiescent indices of xs for K is defined as 

Qk{xs) = {n I En{xs) £ Beh{K)} . 

Let K and L be specifications. A simulation F : K -t> L is said to preserve 
quiescence iff, for every xs e Bch(K), there exists ys 6 Beh{L) with (xs, ys) G 
F^ and Qk{xs) C Qi(7s). 

It is easy to verify that preservation of quiescence is compositional: if F : 
K -i> L and G : L -f> M both preserve quiescence, the composition (F; G) : 
K -0- M also preserves quiescence. Also, ii F : K -t> L preserves quiescence 
and G is a relation between states{K) and states{L) with F C G, then G is a 
simulation K -> L that preserves quiescence. 

Example G'. Going back to example G in Sect. 13.1 1 we let K' be the specification 
obtained from K by omitting the requirement that k keeps changing. So, the 
property is weakened to prop{K') = 0|k = l]. By the same argument as 
before, relation F is a simulation K' -i> L' . This simulation does not preserve 
quiescence. Indeed, let xs and ys be behaviours oiK' and L' with (xs, ys) G F'^ . 
Let r is the first index with xs^ — 1, then r is a quiescent index of xs but not 
of ys, since the boolean b is still false. □ 
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Example I. We construct an even simpler simulation that does not preserve qui- 
escence. Consider specifications K and L, both with state space X = {0, 1, 2}, 
initial set {1}, and supplementary property <>□ | {0} ]. The next-state relations 
are given by 

step{K) - lxU{(l,0),(0,l)} , 
step{L) = lxU{(l,0),(l,2),(2,l)} . 




The behaviours of K are infinite lists over {0, 1} that start with 1 and contain 
only finitely many ones. The behaviours of L are finite lists over {1,2} that 
start and end with 1, followed by infinitely many zeroes. In either case, the 
quiescent indices are those of the zero elements in the list. 

Let relation F on X be the set F = {(0, 0), (0, 2), (1, 1)}. Relation F is 
a simulation K ->> L. In fact, for every xs S Beh{K), there is precisely one 
ys E Beh{L) with (xs,ys) S F'^. If n is the least number with xst = for all 
i > n, then ys^ = 2 for all j < n with xsj = 0, and ySj = xsj in all other 
cases. Since xsj can be zero when ySj is not, simulation F does not preserve 
quiescence. For instance, if xs = (1, 0, 0, 1, 0"), we need ys = (1, 2, 2, 1, 0"). □ 

Preservation of quiescence does not occur in p. Its role is played by the 
stronger concept of internal continuity. We therefore have to clarify the rela- 
tionship between these concepts. Following we define a visible specification 
(K, f) to be internally continuous iff every infinite initial execution xs of K 
with /"(xs) G Obs{K, /) is a behaviour of K. As the next result shows, inter- 
nal continuity of the target specification implies preservation of quiescence by 
every simulation that yields an implementation according to Theorem 0. 

Lemma 3. Let {K,f) and {L,g) be visible specifications and assume that 
{L, g) is internally continuous. Let F : K Lhe & simulation with [F] g) C /. 
Then F preserves quiescence. 

Proof. Let xs be a behaviour of K. We have to provide a behaviour ys of 
L with (xs,ys) S and Qk{xs) C Q^^ys). Since F is a simulation, we 
can choose a behaviour ys of L with (xs,ys) G F". It remains to prove that 
Qk{xs) C QL{ys). 

Let n G Qk{xs) be given. Write xn = F„(xs) and yn — F„(js). Then yn 
is an infinite initial execution of L with (xu, jn) e F^ . Just as in the proof 
of Theorem 0, the inclusion (F; g) f implies that f{x) — g{y) for every 
{x,y) £ F. It follows that g"(yu) = /'^(xn). Since n € Qk{xs), we have 
f^ixn) e Obs{K,f). Theorem implies that (if,/) implements {L,g). It 
therefore follows that g'^{yn) G Obs{L,g). Now, internal continuity of {L,g) 
implies that yn is a behaviour of L, so that n e Qbiys). □ 
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The following lemma implies that refinement mappings and forward and 
backward simulations all preserve quiescence. 

Lemma 4. Every flat simulation F : K -> L preserves quiescence. 

Proof. Let xs e Beh{K). Since is a simulation, there exists ys £ Bch{L) with 
(xs, ys) S F". It suffices to prove that Qk{xs) C ^^(ys). Let n e Qk{xs). 
Write xn = En{xs) and yn = £'„(ys). Since n G Qk{xs), we have xn £ Beh{K). 
On the other hand, yn is an infinite initial execution of L and (xn, yn) e i^"^. 
Flatness of F implies that yn is a behaviour of -L. This proves n G QL(ys). □ 

4 An Eternity Variable for Refinement 

We now develop an alternative for prophecy variables or backward simula- 
tions that is simpler and in a theoretical sense more powerful. Extending the 
metaphor of history and prophecy variables, they are named eternity variables, 
since they do not change during execution. 

They are simpler than prophecy variables in the sense that, below, both 
the proof of soundness in Lemma |5l and the proof of completeness in Theorem 
1 are simpler than the corresponding proofs for prophecy variables. They are 
theoretically more powerful in the sense that their completeness does not require 
additional finiteness assumptions. 

The idea is that an eternity variable has an indeterminate constant value, 
but that the states impose restrictions on this value. A behaviour in which the 
eternity variable ever has a wrong value is simply discarded. Therefore, in every 
behaviour, the eternity variable always has a value that satisfies all restrictions 
of the behaviour. 

The specification obtained by adding an eternity variable is called an eternity 
extension. In Sect. 14. ll we introduce eternity extensions, prove their soundness, 
and give a simple example. Completeness of eternity extension is proved in Sect. 
14.21 At first sight, the use of eternity variables may seem to require arguing 
about complete behaviours rather than states and the next-state relation. As 
argued in Sect. 14.31 however, it is possible to combine the use of eternity variables 
conveniently with assertional methods. 

4.1 Eternity Extensions Defined 

Let i^T be a specification. Let M be a set of values for an eternity variable m. A 
binary relation R between states{K) and M is called a behaviour restriction of 
K iff, for every behaviour xs of K, there exists an m € M with (xs^, m) £ R for 
all indices i : 

(BR) xs e Beh{K) => (3 to :: (V i :: (xs^, to) e R)) . 

If i? is a behaviour restriction of K, we define the corresponding eternity exten- 
sion as the specification W given by 
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states{W) = R , 

start{W) ^ Rn {start{K) x M) , 

{{x,m), {x',m')) e step{W) = {x,x') G step{K) A m — m' , 
ys e prop{W) = fst'^iys) G prop{K) . 

It is clear that step{W) is reflexive and that prop{W) is a property. Therefore 
is a specification. It is easy to verify that fst : states{W) states{K) is a 
refinement mapping. The soundness of eternity extensions is expressed by 

Lemma 5. Let i? be a behaviour restriction. Then relation cvf = cv(fst) is a 
flat simulation A' — o VF. 

Proof. We first prove that cvf is a simulation. Let xs G Beh(K). We have to 
construct ys G Beh{W) with (xs, js) G cvf". By (BR), we can choose m with 
(xSi, to) G i? for all i. Then we define jSj = (xsi, m). A trivial verification shows 
that the list ys constructed in this way is a behaviour of W with (xs, ys) G cvf^ . 
This proves that cvf is a simulation. Flatness of cvf follows directly from the 
definitions of flatness and prop{W). □ 

The simulation cvf : K ~i>W oi Lemma |S1 is called the eternity extension 
of K corresponding to behaviour restriction R. In this construction, we fully 
exploit the ability to consider specifications that are not machine closed. Ini- 
tial executions of W that cannot be extended to behaviours of W are simply 
discarded. 

Remark. If M is a singleton set, such as the type void, the existential quantifica- 
tion in (BR) can be eliminated and condition (BR) reduces to the requirement 
that D = {x\{x,-) G R] is an invariant. Then W is isomorphic to the D- 
restricted specification Kb and cvf corresponds to the simulation : X — 1> Ko 
of Lemma Ha) inO ^ 

Example J. We give a simple example where a nontrivial eternity variable is 
used to prove that a given relation is a simulation. Let K be the specification 
given by the program 

var j : Nat , b : Boolean ; 
initially: j = A ^ b ; 

do -.b j := j + 1 ; 

1 j ^ ^ b := true ; 
od ; 

prop: b is sometimes true. 

Let L be the specification given by 

var k,n ; JVat 0, ; 

do n = k := 1 ; choose n > 1 ; 

I k<ii k:=k+l; 

od ; 

prop: sometimes k = n. 
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Recall that the alternatives in the do loop are regarded as atomic. Let relation 
F between the state spaces of K and L be given by 

{ij,b),{k,n))eF = j = k. 

We claim that F is a simulation. In every behaviour, specification L chooses the 
number of nontrivial steps of the behaviour in the first nontrivial step. For if, 
this number is determined in the last nontrivial step. It thus needs prescience 
to construct the behaviour of L from that of K. 

We therefore factor relation F over an eternity extension. For this purpose, 
we form the eternity extension with eternity variable m : N and relation 

R: j<m A (-.b V j=m). 

The state of K remains constant once b has become true. Therefore, every 
behaviour of K has a unique value for m that satisfies R, namely the final 
value of j. This shows that i? is a behaviour restriction. We thus form the 
corresponding eternity extension cvf : K — 1> W . In view of behaviour restriction 
i?, specification W can be regarded as the program 

var j , m : Nat , b : Boolean ; 
initially: j = A ^ b ; 

do-.bAj<m j:=j+l; 
[ j =m^ b:= true ; 

od ; 

prop: b is sometimes true. 

Let g : states{W) states{L) be given by 

g{j, b, to) = {j, = ? : to)) , 

where (_?_:_) stands for a conditional expression as in the language C. It 
is easy to see that g maps the initial states of W into the initial state of L. 
Every step according to the first alternative of W is transformed into a step of 
L. Every step according to the second alternative of W is transformed into a 
stuttering step of L. Every behaviour of W is transformed into a behaviour of 
L. Therefore g is a refinement mapping W ~c> L. The composition {cvf;g) is 
contained in relation F. This shows that is a simulation. □ 

4.2 Completeness of Eternity Extensions 

The combination of forward simulations, eternity extensions and refinement 
mappings is semantically complete in the following sense. 

Theorem 1. Let F : K -o L he a, simulation that preserves quiescence. There 
exist a forward simulation fw : K -i> H , an eternity extension et : H -(> W and 
a refinement mapping g : W -> L such that {fw; et; g) C F. 

Proof. According to Lemma ^ the unfolding cvl : K — o K"^ is a forward simu- 
lation. It therefore suffices to prove the following more specific result. 
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Lemma 6. Let F : K ~f> L he a simulation that preserves quiescence. The 
unfolding cvl : K ~f> K"^ has an eternity extension cvf : K"^ -f> W and a refine- 
ment mapping g : W -t> L such that {cvl; cvf; g) C F. 

Proof. Wc extend K"^ with an eternity variable m in the set Beh{L). For this 
purpose, let relation R between states{K'^) and Beh{L) consist of the pairs 
(xs,ys) such that, for some xt G Beh{K), it holds that 

xsHxt A (xt,ys) e F'^ A Qxixt) C QL{ys) . 

We show that i? is a behaviour restriction by verifying condition (BR) . Let uss 
be any behaviour of K"^. Define vss to be the stutterfree behaviour of K'^ with 
vss :< uss. By Lemma|21 we have that xt = last^{vss) is a behaviour of K such 
that vssi is a prefix of xt for all indices i. Since F : K -t> L preserves quiescence, 
specification L has a behaviour ys with (xt, ys) e and QK{xt) C Ql(js). 
This implies that {vssi.ys) £ R for all i e N. Since every element of uss is an 
element of vss, it follows that {ussi,ys) e i? for all i e N. Taking m — ys, this 
proves condition (BR), so that i? is a behaviour restriction. 

Let W be the i?-eternity extension of A'^. By Lemma|5| we have a simulation 
cvf : K* -> W. Define g : R ^ states{L) by 

gixs,ys) = last{ys\i{xs)) . 

We show that 17 is a refinement mapping from W to L. Firstly, let w G start{W). 
Then w is of the form w = (xs, ys) with £{xs) = 1. Therefore g{w) = last{ys\l) = 
jSq e start(L). In every nonstuttering step in W, the length of xs is incremented 
with 1 and then we have {ySn,ySj^^i) £ step{L). Therefore, hmction g maps 
steps of W to steps of L. 

In order to show that g maps every behaviour of to a behaviour of L, it 
suffices to show that g'^{ws) G prop{L) for every stutterfree behaviour of W. So, 
let ws be a stutterfree behaviour of W. Since ws is a behaviour of W, its elements 
have a common second component ys G Beh{L). We can therefore write ws^ = 
(usfe, js) for all k. Since ws G Beii(M^), we have us = fst'^{ws) G Beh{K'^). In 
particular, (usfe, usfe+i) G step{K'^) for all fc, and last'^{us) G prop{K). 

We have g(wsfe) = Jast(7s|i?(uSfc)). Since ws is stutterfree, us is stutterfree. 
There are two possibilities. Either all elements of us are different or up to 
some index n all elements of us are different and from n onward they stay 
the same. This implies, that either i{usk) = fc + 1 for all k, or there exist a 
number n, such that £{usk) — min(A;,n) + 1 for all k. In the first case, we 
have g'^iws) = ys G piop{L). In the second case, g'^lws) = En{ys). Therefore, 
g^{ws) G prop{L) would follow from n G QL{ys). Since (us„, js) = ws„ G R, 
there exists a behaviour ut of K such that us„ C ut and (ut, ys) G F'^ and 
Qxiut) C QL^ys). Since £(us„) = n + 1, we have us„ = (ut|n-|-l). This implies 
that E„{ut) equals us„ followed by infinitely many states ut„ — last{uSn). It 
follows that En{ut) = ]ast"(us) G prop{K) and hence n G Qxiut) C Qi(ys). 

It remains to prove {cvl; cvf ; g) C F. Let (x,?/) be in the lefthand relation. 
By the definition of {cvl; cvf; g), there exist xs G states{K'^) and w G states(W^) 
with X — last{xs) and xs = fst{w) and (/(w) = y. By the definition of W, we 
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can choose ys € Beh{L) with w — (xs,ys). Let n — £{xs). Then x — xs„_i and 
y = g{w) = ySn_i. Smce {xs,ys) € R, we also have {x,y) ~ (xs„_i, js„_j) G F. 
This proves the inclusion. □ 

Remarks. Theorem 1 is more relevant than Lemma El since it suggests the flexi- 
bility to add conveniently many history variables, and not more than necessary. 

The converse of Theorem 1 also holds. In fact, forward simulations, eternity 
extensions and refinement mappings are flat simulations, which preserve quies- 
cence by Lemma 01 Since preservation of quiescence is compositional, it follows 
that every simulation F that satisfies the consequent of Theorem 1 preserves 
quiescence. 

4.3 Behavioural or Assertional Reasoning? 

In general, there are two methods for the verification of concurrent algorithms 
(as discussed, e.g., in p. 344). One method, the assertional approach, is 
to rely on invariants and variant functions. The alternative, the behavioural 
approach, is to argue about execution sequences (behaviours) where certain 
actions precede other actions. We prefer the assertional approach, see also 
|H1 where we described it as the synchronic approach. Yet, it is clear that, 
in the analysis of an algorithm that gradually modifies the state, we cannot 
avoid temporal or behavioural arguments completely. We therefore strive at a 
separation of concerns where the behavioral argument is a formal triviality and 
all complexity of the algorithm is treated at the level of states and the next-state 
relation. 

One may object that our proof obligation (BR) in l4.1l reauires quantification 
over all possible behaviours, which is precisely what the assertional methods try 
to avoid. This objection is not justified. In fact, it could equally well be raised 
against the use of invariants, defined as predicates that hold in all reachable 
states. 

The question thus boils down to establishing condition (BR) of 14.11 Given 
a behaviour xs, one has to construct a value m for the eternity variable such 
that (V i :: (xSi,m) G R). In practice, we proceed as follows. First rephrase 
(V i :: (xSi,m) G R) as (V i :: xs^ e Rim)) for a state predicate R{m), with a 
free variable m yet to be determined. Predicate R(m) plays the same role as an 
invariant, but only for a specific behaviour xs. 

We now use that Theorem 1 allows us the introduction of history variables. 
We introduce a history variable the value of which converges in a certain sense 
for every behaviour, and wc use the "limit" as a value for m. In the above 
example I, the final value of the variable j was this limit. 

In our more interesting examples (see Sect.jSland 12 ), the eternity variable 
m is an infinite sequence and the approximating history variable consists of a 
pair (n, a) where n holds a natural number and a is an infinite array filled upto 
n. This pair is modified only by steps of the form 

( a[rL] :— expression ; n := n + 1 ) . 
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The behaviour restriction is given as the state predicate 
(*) R{m) EE (V j : j < n : m(j) = . 

Since n is incremented only and a is never modified at indices below n, for every 
behaviour xs, the existence of a value m that always satisfies R{m) is a formal 
triviality. 

In our applications, this is the only behavioural argument needed. The 
remainder of the verification can be done by assertional methods. Of course, 
creativity is needed to come up with approximating history variables that carry 
enough information, but this is the same kind of creativity as needed to invent 
invariants. 

When we restrict the method to behaviour restrictions of the special kind 
(*), we cannot maintain completeness, since in the proof of LemmaElwe used a 
different kind of behaviour restriction. So, indeed, we cannot guarantee that in 
all applications there is a convenient reduction to the assertional setting. 

5 A Slightly Bigger Example 

In this section, we illustrate the theory by a tiny application. We prove that a 
relation between the state spaces of specifications KO and Kl is a simulation 
by factoring it over the forward simulation, an eternity extension, an invariant 
restriction, and two refinement mappings. 

5.1 The Problem 

Let KO be the specification corresponding to the program 

var j : Nat :— ; 
do true j j + 1 i 

1 j >0 ^ j :=0 ; 
od ; 

prop: j decreases infinitely often. 

The fairness assumption requires that the second alternative is chosen infinitely 
often. Specification KO has states{KO) — N and staitiKO) — {0} and relation 
step{KO) given by 

{j,j')estep{KO) = / e {0,j,j + l} . 

The supplementary property that j decreases infinitely often, is expressed in 
prop{KO) = □C>|>]. 

We extend specification KO with a variable z that guesses when j will jump 
back. We thus obtain the extended specification Kl with the program 
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var j,z : Nat := 0, ; 
doj<z j:=j + l; 

[ j = j := 1 ; choose z > 1 ; 

1 j = z ^ j := ; z := ; 
od ; 

prop: ( j , z) changes infinitely often. 

Recall that the alternatives in the loop are executed atomically. The supple- 
mentary property only ensures that behaviours do not stutter indefinitely. We 
thus have prop{Kl) = aOl^j. 

The function /i^o ■ states{Kl) states{KO) given by fi,o{j,z) — j is easily 
seen to be a refinement mapping Kl -o KO. 

More interesting is the converse relation Fq^i = cv(/i_o)- It is not difficult 
to show by ad-hoc methods that Fq^i is a simulation KO -t> Kl, but the aim of 
this section is to do it systematically by means of the theory developed. 

In comparison with KO, the variable z seems to prophecy the future be- 
haviour. This suggests to use a backward simulation. Our best guess is the 
relation F = {{j, {j,z)) \ j < z} between the state spaces of KO and Kl. In- 
deed, relation F satisfies three of the four conditions for backward simulations, 
but condition (B2) fails: the sets {y \ {x,y) G F} are always infinite. We 
therefore use factorization over an eternity extension. 

5.2 A History Extension to Approximate Eternity 

Every behaviour of Kl contains infinitely many steps where a new value for z 
is chosen. These values are prophecies with respect to KO. In the behaviours 

of KO, these vahies can only be scxin at the jiuiiping steps. We therefore cixtend 
KO with an infinite array of history variables to record the subsequent jumping 
values. 

We thus extend specification KO with two history variables n and q. Variable 
n counts the number of backjumps of j, while q is an array that records the 
values from where j jumped. 

var j : Nat := , n : Nat := , 

q : array Nat of JVat := ([JVat] 0) ; 
do true — *■ j := j + 1 ; 
1 j > ^ q[n] := j ; n := n + 1 ; j := ; 
od ; 

prop: j decreases infinitely often. 

This yields a specification K2 with the supplementary property QO| j > j'] 
where j' stands for the value of j in the next state. 

It is easy to verify that the function /2,o : states{K2) — > states{KO) given 
by .f2,a{j,n,q) = j is a refinement mapping. Its converse _Fo.2 = cv(/2,o) is a 
forward simulation KO -f> K2. Indeed, the conditions (FO) and (F2) hold almost 
trivially. As for (Fl), if we have related states in KO and K2, and the state in 
KO makes a step, it is clear that K2 can take a step such that the states remain 
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related. The variables n and q are called history variables since they record the 
history of the execution. 

5.3 An Example of an Eternity Extension 

We now extend K2 with an eternity variable m, which is an infinite array of 
natural numbers with the behaviour restriction 

R : (V i : < i < n : m[i] = q[i]) . 

We have to verify that every behaviour of K2 allows a value for m that satisfies 
condition R. So, let xs be an arbitrary behaviour of K2. Since j jumps back 
infinitely often in xs, the value of n tends to infinity. This implies that q[i\ is 
eventually constant for every index i. We can therefore define function m : N — *■ 
N by Oa[m{i) = q[i] ] for all i e N. It follows that Dlz < n =^ ra(z) = q[i] ] for 
all i. This proves that m is a value for m that satisfies R for behaviour xs. 

Let K3 be the resulting eternity extension and ^2,3 : K2 -f> K3 be the 
simulation induced by Lemma [S] Specification K3 corresponds to the program 

var j : JVat := , n : JVat := , 

q : array JVat of JVat := ([JVat] 0) , 

m : array JVat of JVat {arbitrary} ; 
do true j ■= j + 1 ; 

1 j ^ m[n] > ^ q[ii] j ; n n + 1 ; j := ; 
od ; 

prop: j decreases infinitely often. 

5.4 Using Refinement Mappings and an Invariant 

We first eliminate array q, which has played its role. This gives a refinement 
mapping /a, 4 from K3 to the specification K4 with program 

var j : JVat := , n : JVat := , 

m : array JVat of JVat {arbitrary} ; 
do true — > j := j + 1 ; 
1 j =m[n] >0 ^ n:=n+l;j:=0; 
od ; 

prop: j decreases infinitely often. 

Since j must decrease infinitely often in K4, the occurring states of K4 satisfy 
the invariant 

D : j < m[ii] A (V« :: m[i] > 1) . 

Note that D is not a forward invariant of K4, see Sect. 12.11 Let K5 be the 
Z3-restriction of K4, with the simulation Id ■ K4 -f> K5 of Lemma EI a). Speci- 
fication K5 corresponds to 
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var j : Nat := , n : Nat := , 

m : array Nat of Nat with (V i :: m[i] > 1) ; 
do j < m[n] j j + 1 ; 

1 j = m[n] >0 ^ n:=n + l;j:=0; 
od ; 

prop: j decreases infinitely often. 

Let function /5.1 : states{K5) states{Kl) be defined by 

f5.i{j,n,m) = (j, (j = 0? : TO[n])) , 

again using a C-like conditional expression. We verify that /5.1 is a refinement 
mapping. Since /5,i(0,0,to) = (0,0), initial states are mapped to initial states. 
We now show that a step of K5 is mapped to a step of Kl . By convention, 
this holds for a stuttering step. A nonstuttering step that starts with j = 
increments j to 1. The /s i-images make a step from (0,0) to (1,7") for some 
positive number z. This is in accordance with Kl . A step of K5 that increments 
a positive j has the precondition j < m[n]; therefore, the /s^i-images make a 
Kl-step. A back-jumping step of K5 has precondition j = m[ii] > 0. Again, the 
/5_i-images make a KJ-step. It is easy to see that /s i transforms behaviours of 
K5 to behaviours of Kl . 

We thus have a composed simulation G = (^0,2; -^2,3; /3,4; 1_d;/5,i) : KO -c> Kl. 
One can verify that {j, {k, m)) e G implies j — k. It follows that the above re- 
lation Fq.i satisfies G C Fq^i. Therefore, Fq^i is a simulation KO -t>Kl. This 
shows that an eternity extension can be used to prove that _Fo,i is a simulation 
KO ^Kl. 

Remark. We have taken more steps here than accounted for in Theorem 1. By 
taking a different behaviour restriction R, we could have compressed the last 
three steps into one more complicated step. □ 

6 Conclusions and Future Work 

We have introduced simulations of specifications to unify all cases where an 
implementation relation can be established. This unifies refinement mappings, 
history variables or forward simulations, and prophecy variables or backward 
simulations, and refinement of atomicity as in Lipton's Theorem (HIEOI- This 
unification is no great accomplishment: a general term to unify distinct kinds 
of extensions is useful for the understanding, but methodologically void. 

We have introduced eternity extensions as variations of prophecy variables 
and backward simulations. We have proved semantic completeness: every sim- 
ulation that preserves quiescence can be factored as a composition of a forward 
simulation, an eternity extension and a refinement mapping. The restrictive as- 
sumptions machine-closedness and finite invisible nondeterminism, as needed for 
completeness of prophecy variables or forward-backward simulations in ^ I21| 
are superfluous when eternity variables are allowed. The assumption of internal 
continuity is weakened to preservation of quiescence. 
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The theory has two versions. In the strict version presented here, we allow 
the concrete behaviours to take more but not less computation steps than the 
abstract behaviours. This is done by allowing additional stutterings to the 
abstract specifications. The strict theory is also the simpler one and it results 
in a finer hierarchy of specifications than the stuttering theory. 

It is likely that the results of this paper can be transferred to input-output 
automata and labelled transition systems. The ideas may also be useful in 
specifications and correctness arguments for real-time systems. 

As indicated above, we developed the theory of eternity variables to apply 
them in ^2] to the serializable database interface problem of 0^1121]. The 
practicality of the use of eternity variables is witnessed by the fact that the 
proof in is verified by means of the mechanical theorem prover NQTHM [3], 
which is based on first-order logic. 

Acknowledgements. I am grateful to Eerke Boiten, Leslie Lamport, CaroU Mor- 
gan, and Gerard Renardel de Lavalette for encouragements, comments, and profound 
discussions. 
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